Ransom.Win64.CROSSLOCK.THDAHBC

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware adds the following processes:

• %System%\notepad.exe → used to patch ntdll.dll and bypass ETW
• cmd.exe /c "wevtutil cl application"
• cmd.exe /c "vssadmin delete shadows /all /quiet"
• cmd.exe /c "wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest"
• cmd.exe /c "wbadmin DELETE SYSTEMSTATEBACKUP"
• cmd.exe /c "wbadmin delete catalog -quiet"
• cmd.exe /c "bcdedit /set {default} recoveryenabled No"
• cmd.exe /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"
• cmd.exe /c "wevtutilcl system"
• cmd.exe /c "wevtutilcl security"
• If the parameter --uac or -ub is used and the executable is executed without administrative privileges:
  • cmd.exe /c "reg add HKCU\Software\Classes\mscfile\shell\open\command /ve /d \"{Malware File Path}\{Malware File Name}\" /f"
  • cmd.exe /c "C:\windows\system32\eventvwr.exe"
  • cmd.exe /c "reg delete HKCU\Software\Classes\mscfile /f"
• If the parameter combination --host or -H, --user or -u, and --pwd or -p is used:
  • cmd.exe /c "net use \{Host Name}\IPC$ /u:{Username} {Password}"

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Process Termination

This Ransomware terminates the following services if found on the affected system:

• SQLSERVERAGENT
• SQLTELEMETRY
• MSSQLSERVER
• WIDWriter
• SQLWriter
• vss
• sql
• svc$
• memtas
• mepocs
• sophos
• veeam
• backup
• GxVss
• GxBlr
• GxFWDG
• GxCVDG
• GxCIMgr
• DefWatch
• ccEvtMgr
• ccSetMgr
• SavRoam
• RTVscan
• QBFCService
• QBIDPService
• Intuit
• QuickBooks.
• FCS
• QBCFMonitorService
• YooBackup
• YooIT
• zhudongfangyu
• sophos
• stc_raw_agent
• VSNAPVSS
• VeeamTransportSvc
• VeeamDeploymentService
• VeeamNFSSvc
• veeam
• PDVFSService
• BackupExecVSSProvider
• BackupExecAgentAccelerator
• BackupExecAgentBrowser
• BackupExecDiveciMediaService
• BackupExecJobEngine
• BackupExecManagementService
• BackupExecRPCService
• AcrSch2Svc
• AcronisAgent
• CASAD2DWebSvc
• CAARCUpdateSvc

It terminates the following processes if found running in the affected system's memory:

• sql
• oracle
• ocssd
• dbsnmp
• synctime
• agntsvc
• isqlplussvc
• xfssvccon
• mydesktopservice
• ocautoupds
• encsvc
• firefox
• tbirdconfig
• mydesktopqos
• ocomm
• dbeng50
• sqbcoreservice
• excel
• infopath
• msaccess
• mspub
• onenote
• outlook
• powerpnt
• steam
• thebat
• thunderbird
• visio
• winword
• wordpad
• notepad
• sqlwriter
• sqlservr
• javaw
• java
• bpjava-susvc
• nbproxy
• avrd
• tldd
• bpdbm
• vmd
• bpjobd
• bprd
• nbpem
• nbjm
• bpcd
• bpinetd
• nbemm
• nbaudit
• nbars
• nbvault
• nbstserv
• nbsvcmon
• nbsl
• nbrb
• nbrmms
• vnetd
• nbim
• nbevtmgr
• nbdisco
• nbatd
• ltid
• pbx_exchange
• dbsrv17
• bpcompatd
• secfsd

Other Details

This Ransomware does the following:

• It checks if the process is executed in a WINE environment.
• It bypasses Event Tracing for Windows by patching the ntdll.dll module.
• It displays the following on the console during encryption:
  

It accepts the following parameters:

• -h → Help Menu
  
• --path, -P → Encrypt the specified path
• --host, -H → Remote address name or DNS
• --domain, -d → Domain name, the default domain name is (.)
• --user, -u → Username to be used for authentication, use it with remote host and password
• --pwd, -p → Password to be used for authentication, use it with remote host and username
• --uac, -ub Bypass UAC, default is false

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• ---CrossLock_readme_To_Decrypt---.txt
• autorun.inf
• boot.ini
• bootfont.bin
• bootsect.bak
• bootmgr
• bootmgr.efi
• bootmgfw.efi
• desktop.ini
• iconcache.db
• ntldr
• ntuser.dat
• ntuser.dat.log
• ntuser.ini
• thumbs.db

It avoids encrypting files found in the following folders:

• AppData
• Boot
• Windows
• Windows.old
• temp
• perflogs
• Tor Browser
• Internet Explorer
• Google
• Opera
• Opera Software
• Mozilla
• Mozilla Firefox
• $RECYCLE.BIN
• $Recycle.Bin
• System Volume Information
• ProgramData
• All Users
• application data
• Program Files
• Program Files (x86)
• #recycle
• Perl64
• Perl
• Python3
• Python27
• Python
• intel
• msocache
• $windows.~ws

It appends the following extension to the file name of the encrypted files:

• {Original File Name}.{Original File Extension}.crlk

It drops the following file(s) as ransom note:

• {Encrypted Directory}\---CrossLock_readme_To_Decrypt---.txt
  

It avoids encrypting files with the following file extensions:

• .bak
• .bat
• .bin
• .blf
• .ckp
• .cmd
• .com
• .crlk
• .dacpac
• .dat
• .db-shm
• .db-wal
• .dbc
• .diagcab
• .diagcfg
• .diagpkg
• .dll
• .exe
• .hta
• .icns
• .idx
• .inf
• .key
• .lnk
• .lock
• .log
• .log1
• .log2
• .msi
• .msstyles
• .mwb
• .nls
• .ocx
• .prf
• .ps1
• .reg
• .regtrans-ms
• .rnd
• .scr
• .search-ms
• .sql
• .sqlite
• .sqlite3
• .sys
• .tmd